Monday, December 27, 2010

The Federal Trade Commission (FTC) Red Flags Rule implements sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). The new Rule requires creditors and financial institutions to implement written identity theft detection and monitoring program(s). Creating an identity theft program helps businesses detect and respond to warning signs of identity theft. The Rule relates to two sections in the FACT Act-Section 315 deals with the address match requirement; Section 114 deals with the "Red Flag" alert requirement. A Red Flag is a "pattern, practice or specific activity that indicates the possible existence of identity theft."

Identity theft has been the number one fraud complaint filed with the FTC for the better part of a decade. The Identity Theft Resource Center® (ITRC) states "Identity Theft is a crime in which an impostor obtains key pieces of personal identifying information (PII) such as Social Security numbers and driver's license numbers and uses them for their own personal gain."

After numerous delays and requests for clarifications on who is actually covered by this regulation, the rules are scheduled to go into effect this Friday, December 31, 2010.

Identity theft is an insidious crime, which can devastate you financially, cause your credit to quickly erode, and can take years to restore your identity--an absolute nightmare.

Does this Rule apply to my company?

The Rule requires creditors and financial institutions to develop and implement a written identity theft prevention program designed to detect, prevent and mitigate fraud attempted or committed through identity theft. "Creditors" are defined in this new law as entities who:

1) Obtain or use consumer reports in connection with a credit transaction;
2) Furnish information to consumer reporting agencies in connection with a credit transaction; or
3) Advance funds to a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person.

Only creditors and financial institutions that have "covered accounts" need a Program. Once you've determined you're a creditor or financial institution under the Red Flags Rule, the next step is to figure out if you have any "covered accounts." The FTC's website defines "covered accounts" as either:

1) Consumer accounts designed to permit multiple payments or transactions, or
2) Any other account that presents a reasonably foreseeable risk from identity theft. It further notes that "...the Rule applies to you if you provide products or services and bill customers later."

This new regulation casts a wide net -- many, many companies will be liable to comply. Elements of creating your company's identity theft program include these steps:

The new Rule contains an Address Match Requirement, which applies to users of credit reports who get a notice of address discrepancy from a consumer reporting agency. A notice of address discrepancy is a notice that the address included in the user's request for a consumer report and the address or addresses in the consumer reporting agency's files are substantially different.

When do I need to comply? What are the fines/penalties for non-compliance?

After numerous delays and requests for clarifications on who is actually covered by this regulation, the rules are scheduled to go into effect this Friday, December 31, 2010.

The fines are significant and your company can suffer serious financial exposure for non-compliance. The FTC's website states it "....can seek both monetary civil penalties and injunctive relief for violations of the Red Flags Rule. Where the complaint seeks civil penalties, the U.S. Department of Justice typically files the lawsuit in federal court, on behalf of the FTC. Currently, the law sets $3,500 as the maximum civil penalty per violation. Each instance in which the company has violated the Rule is a separate violation."

Should a Company demonstrate a pattern of non-compliance, your State's Office of the Attorney General may decide it warrants intervention, and can a file civil lawsuit under consumer protection statutes.

--------ABOUT THE AUTHORHenry Enright is an expert in Fraud Management and Risk Assessment, with recent accomplishments in Training, Regulatory Compliance (including the Red Flags Rule), Records Management and Investigations. He was recently interviewed by a local TV station on the topic of “Identity Theft & Internet Safety.” Combining his strong legal research and project management skills, he delivers preemptive fraud and risk management services, along with Regulatory and Business Ethics Compliance expertise. He is currently conducting fraud prevention/detection awareness seminars to both private sector and government employees (including law enforcement). A wireless industry veteran, he has performed roles in Operations, Enterprise Risk Management, Legal, and recently consulted for a startup location-based services (satellite A-GPS technology) company as a Business Architect. For more information, contact henry.enright5@gmail.com or 201.960.0052.